All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Make 2 or more separate time charts with 1 search query

cmak
Contributor
‎01-21-2013 04:51 PM

I would like to have 1 query that makes 2 or more different time graphs.

Basically, I have a few fields that i would like to plot through time.
However, if i simply plot the fields against time, I get them all in 1 graph since time is the x axis.

I would like the same fields to be right next to each other and away from other fields so it is easier to compare.
For example, when I call:

chart max("field A") , max("field B") by _time

I am getting 1 graph with the x axis as time, and for each time segment, Field A is beside Field B

I would like all field A to be beside each other through time, and separately all field B to be together through time.
If this cannot be done with 1 search query, I would need a way to dynamically make multiple different time charts (separate FlashChart modules) with my user interface. I currently have a pulldown that allows multiple selection and the user can control click which fields they would like to see.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-21-2013 08:47 PM

There are two ways to get there.

1) One fast but limited way that can get you there, is to use the charting key "charting.layout.splitSeries".
Put this setting in your HiddenChartFormatter module: 

<param name="charting.layout.splitSeries">True</option>

And then just use the timechart command

timechart max("field A") max("field B")

The splitSeries key tells the chart that instead of charting two lines or two columns on one graph, to instead chart two lines or two columns, each in half the space, each in it's own separate graph.

2) The normal approach here is very different and that's to use postProcess. PostProcess is a much broader technique where you have a base search that combines the ingredients for 2 or more charts or tables that you need. Then you have 2 or more postProcess searches that carve up the base search correctly in each of the different ways.

For a full explanation of postProcess, and an accounting of why I'm doing everything here in this particular way, carefully read the docs page in Sideview Utils - "Key Techniques > Using PostProcess > an Introduction". The documentation explains all the issues and all the pitfalls.

base search: <your search terms> | bin _time span="1h" | stats count by fieldA fieldB _time

postProcess 1: timechart sum(count) as count by fieldA

postProcess 2: timechart sum(count) as count by fieldB

PS. You should avoid using chart max("field A") max("field B") by _time and instead you should just use timechart max("field A") max("field B"). The main problem with the way you're doing it is that you're not bucketing _time values - this means the statistics can go pretty haywire, and also the performance characteristics of the search can be bad. Use timechart.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎01-21-2013 08:47 PM

There are two ways to get there.

1) One fast but limited way that can get you there, is to use the charting key "charting.layout.splitSeries".
Put this setting in your HiddenChartFormatter module: 

<param name="charting.layout.splitSeries">True</option>

And then just use the timechart command

timechart max("field A") max("field B")

The splitSeries key tells the chart that instead of charting two lines or two columns on one graph, to instead chart two lines or two columns, each in half the space, each in it's own separate graph.

2) The normal approach here is very different and that's to use postProcess. PostProcess is a much broader technique where you have a base search that combines the ingredients for 2 or more charts or tables that you need. Then you have 2 or more postProcess searches that carve up the base search correctly in each of the different ways.

For a full explanation of postProcess, and an accounting of why I'm doing everything here in this particular way, carefully read the docs page in Sideview Utils - "Key Techniques > Using PostProcess > an Introduction". The documentation explains all the issues and all the pitfalls.

base search: <your search terms> | bin _time span="1h" | stats count by fieldA fieldB _time

postProcess 1: timechart sum(count) as count by fieldA

postProcess 2: timechart sum(count) as count by fieldB

PS. You should avoid using chart max("field A") max("field B") by _time and instead you should just use timechart max("field A") max("field B"). The main problem with the way you're doing it is that you're not bucketing _time values - this means the statistics can go pretty haywire, and also the performance characteristics of the search can be bad. Use timechart.

0 Karma
Reply
Solved! Jump to solution

cmak
Contributor
‎01-22-2013 02:15 PM

Is there a simple way in suppressing this space so that the columns are displayed right next to each other?

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎01-22-2013 01:08 PM

I think the blank spaces you're describing are just from the bucketing that timechart does. Because both timechart and chart will ignore non-numeric values in the same way.

0 Karma
Reply
Solved! Jump to solution

cmak
Contributor
‎01-22-2013 10:04 AM

The reason why I used chart instead of timechart is because chart ignores any 'non number' values.
I have some values in my table like 'N/A'
In timechart, this leaves a blank space while in chart, it does not take up a blank space.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎01-21-2013 09:29 PM

Note that I fixed a typo in my answer where I was telling you to set splitSeries to False instead of true.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...